search

FinalsClub / karmaworld

KarmaNotes.org v3.0
GNU Affero General Public License v3.0
7 stars 6 forks source link

school autocomplete ajax returns 403 in HTTPS #323

Closed btbonval closed 10 years ago

btbonval commented 10 years ago

This is not a problem on Beta. I'm not sure if this problem is a newly introduced bug (newer than code running on Beta) or a bug specific to my environment.

I can add a course with HTTP and the school field will autocomplete. When I switch to HTTPS, I get:

POST https://localhost:6659/school/list/ [HTTP/1.1 403 FORBIDDEN 4ms]
btbonval commented 10 years ago

Appears not to even call school_list, the 403 is coming before that.

btbonval commented 10 years ago

Typing /school/list/ into the URL bar does trigger the the server's pdb.set_trace() I dropped into school_list. However, the autocomplete AJAX does not trigger the same breakpoint, even though it should be calling the same school_list.

btbonval commented 10 years ago

URL /school/list/:

> /home/vagrant/karmaworld/karmaworld/apps/courses/views.py(109)school_list()
-> if not (request.method == 'POST' and request.is_ajax()
(Pdb) request.method
'GET'
(Pdb) c
[06/Feb/2014 23:22:27] "GET /school/list/ HTTP/1.0" 400 18

AJAX from Add Course:

[06/Feb/2014 23:22:31] "GET / HTTP/1.0" 200 3661
[06/Feb/2014 23:22:37] "POST /school/list/ HTTP/1.0" 403 544
btbonval commented 10 years ago

"Django does indeed receive the HTTP POST as I do hit _HandleRequest(), however it returns a 403 Forbidden, instead of hitting my handler function. I experimented and sent a HTTP GET from my client application and in this case I am able to hit my handler function." https://groups.google.com/forum/#!topic/django-users/Z7rKIzyu7VM

People are talking about CSRF problems.

I noted another CSRF problem in HTTPS in this comment (https://github.com/FinalsClub/karmaworld/issues/320#issuecomment-34402578) which was going to lead to a ticket.

I'm going to take a stab in the dark and assume the root of this problem is CSRF on HTTPS."Django does indeed receive the HTTP POST as I do hit _HandleRequest(), however it returns a 403 Forbidden, instead of hitting my handler function. I experimented and sent a HTTP GET from my client application and in this case I am able to hit my handler function." https://groups.google.com/forum/#!topic/django-users/Z7rKIzyu7VM

People are talking about CSRF problems.

I noted another CSRF problem in HTTPS in this comment (https://github.com/FinalsClub/karmaworld/issues/320#issuecomment-34402578) which was going to lead to a ticket.

I'm going to take a stab in the dark and assume the root of this problem is CSRF on HTTPS.

btbonval commented 10 years ago

Just to test: 403 both logged in and logged out while browsing with HTTPS. I thought maybe it was due to the SSLRedirect adjustments I made, or Django is somewhere requiring me to be logged in as per the above forum thread. Neither appears to be the source of the problem.

btbonval commented 10 years ago

Problem solved in #324